On Tue, 13 Oct 2009 19:23:26 +0200, Reinhard Tartler wrote:
> As for this bug, I'm inclined to close this bug with the upload of
> [2]. The reason is that this report is way to inprecise. This report
> currently reads "the package has been found crashers that might
> compromise the system". Sorry, this is just not helpful. We'd really
> need at least a list of concrete issues, ideally with reference to the
> relevant svn commits (so that commit messages can be reviewed) that can
> be processed and backported.
in an ideal world every security issue would come with a complete
prescription and regiment to make it all better. however, we do not
live in such a place. the best we can do is track the issue at hand,
follow work being done elsewhere, and potentially spend our own
precious time testing and writing fixes. obviously this is a lot of
work, but it is the price we pay since there are nefarious peoples
about.
i would recommend working with the security team to request cve's on
oss-sec for specific issues once they are well-defined, and address each
of them in turn; while keeping this bug open to track the meta-issue
(potentially downgrading to important as to not impede transitions).
note that any of these crashers that show signs of memory corruption
are very much cause for concern (see recent pdf jbig2 decoder issues).
the others can probably be safely discarded. by "may enable remote
compromise," i mean via user-assisted (social engineered) attack
vectors (i.e. downloading and viewing a malicious video file). this
is a very legitimate concern since most users are very trusting of
untrustworthy data.
mike